Imprint

How not to run a CA

TL;DR: Forget your EV or other certs. Just run “Let’s Encrypt”. It gets you a cert, it’s fresh, and it does not make any difference whatsoever. At least not any you or anyone else can check for, or cares for.

Actual Trustico ad from their website (Screenshot 01-Mar-2018)

Here is how:

Chrome is going to distrust the Symantec root certificate soon, because they failed at running a Certificate Authority properly, repeatedly. Certificates by a reseller that are being rooted at Symantec will become invalid, no matter what their runtime in the Cert is.

Trustico wanted to move their customers from Symantec to Comodo, another company that failed at running a Certificate Authority properly, repeatedly, but which is not distrusted by Chrome, yet.

They asked Digicert, who bought the business of Symantec, to revoke (“cancel”) the certs they sold to their customers, just because they say so. That, said Digicert, is not possible, because the conditions for revoking a certificate have not been met, and if you are trying to revoke a certificate just because someone said so you are not running a Certificate Authority properly and they would like stopping to do that.

Apparently Digicert also gave examples of proper causes for certificate revokation, and the one prime cause for revoking a cert is when the private key for a cert (which is supposed to be a secret only known to the proper owner of a cert, which is neither Digicert nor Trustico) being made known to people who have no business knowing it.

So the CEO of Trustico, Zane Lucas, mailed the private keys of 23000 Trustico customers to Digicert, effectively invalidating them and at the same time proving that Trustico has knowledge of all their customers private keys, keeping copies of them, which proves that they never knew how to run a Certficate Authority business in the first place, and compromising all their 23000 customers security retroactively, and also ending their own presence in the security space forever.

So Digicert needed help to do a mass cert revocation, and also informed the customers of Trustico of the situation, directly. Which angered the CEO of Trustico, because it made their absolute and limitless incompetence public.

»As I understand it, Trustico is in the process of terminating their relationship with Digicert and switching to Comodo for issuance. I have a question for Digicert, Comodo, and other CAs:

Do you do any vetting of resellers for best practices?

While clearly most of the security burden rests with the CA, this example shows that resellers with poor security practices (archiving subscriber public keys, e-mailing them to trigger revocation, trivial command injection vulnerabilities, running a PHP frontend directly as root) can have a significant impact on the security of the WebPKI for a large number of certificate holders.

Are there any concerns that the reputability of a CA might be impacted if they willingly choose to partner with resellers which have demonstrated such problems?«

Having followed this story from the initial Digicert’s email because I received it, and exchanged also with Trustico and RapidSSL (Digicert) support since my certificate was about to be revoked, I say that this is a very good summary.

Especially the conclusion “also ending their own presence in the security space forever”.
Which I phrased slightly differently in my reply to Digicert “They are dead”.

BTW, you know what ? Trustico offered me a coupon for a free replacement of my certificate, with their own (“Trustico® Single Site”). Hmmm not sure of what I will do… (just kiding).